We have two main locations, Dallas and Phoenix. Both have Cisco ASA 5555 firewalls for VPN termination. We have multiple VPN remote locations with ASA 5510 or ASA 5505 firewalls. Most are using site to site tunnels to both Dallas and Phoenix. Dallas is HQ. Phoenix is the DR. Dallas has 10.10.0.0 subnet. Phoenix has 10.20.0.0 subnet. Both sit on MPLS cloud with 100 or so remote sites on MPLS behind them via BGP
The EZVPN part is pretty easy as far as primary and backup servers. Is there a way to do it so that if a remote VPN site fails over to the back up (IE Dallas to Phoenix) that we can then start to advertise the route out to the MPLS cloud properly?

static routes installed shall be controlled by IP SLA. IP SLA will detect loss/intermitent/latent path to Dallas/Phoenix, and decides which static route to install in the FW route table

from the perspective of the Dallas/Phoenix FW, it does reverse-route injection. what RRI does is that it injects static routes on the firewall for the remote VPN peer subnet when tunnel is up. In case where both VPN tunnels are up, both Dallas and Phoenix will have it's own static route towards the remote VPN site. These static routes can then be redistributed to the MPLS cloud, with one site having lower metric/preference than the other site.

another solution is to run dynamic routing between the DC/DR FWs and the remote site VPN. This can be done by passing the routing protocol over a GRE tunnel. In this case, we need to setup GRE over IPsec VPN tunnel between DC/DR and remote VPN site. Routing protocols does not pass through normal IPSec tunnel, but it can be run through GRE tunnels. GRE tunnels are less secure than IPSec Tunnels, hence, the GRE Tunnel is encalsulated inside an IPSec VPN tunnel

let me know which solution you prefer, and which items you need to clarify and focus on first. let me know if you need to clarify or correct some items discussed above.

Excellent ideas!
I like the reverse route inject option. I am looking at this as if we lose the Dallas internet connection but not the MPLS connection.
I would assume I would need to run routing between the firewall and the MPLS routers at each site then. Then the firewall would inject the routes into the routing table correct? Simple redistribute static?

PS. What did you use to create the image? Visio or something else?
regards

I would assume I would need to run routing between the firewall and the MPLS routers at each site then.
yes (can be FW and core switch of the DC, not necessarily the MPLS router)
and yes, simple static route redistribution to dynamic between DC/DR FW- core/WAN router. take note that the FW-core routing protocol does not necessarily need to be part of the MPLS routing, it can be just between the FW and core and redistribution can be done between them.

I am looking at this as if we lose the Dallas internet connection but not the MPLS connection.
if MPLS is lost on Denver for example, remember Phoenix is also sending route to the remote VPN site (but with less metric). Hence, remote MPLS sites would converge to use Phoenix going towards the remote VPN site. However, loss of MPLS on Denver side is not detected from the remote VPN site, hence, we need to include the Denver MPLS side on the IP SLA configured on the remote VPN FW. So basically on the remote VPN FW, you need to setup IP SLA to "track" both the Denver public IP, and MPLS router IP (inside or far end: remote MPLS site). Depends on how much automatic convergence you may need.

one thing though, I overlooked, will your remote site be using Easy VPN setup? any restrictions why it needs to be Easy VPN? (one thing I can think of is that the public IP is dyanmic on the remote VPN site.

can you confirm? i believe RRI (reverse route injection) still works for easy VPN, but let me look into integrating IP SLA on easy VPN. As far as I know in easy VPN you can specify primary/secondary VPN server (head-end - DC/DR), and failover occurs when public IP of DC is unreachable. This takes care of redundancy between DC/DR and remote VPN site but does not address loss of the MPLS side.

Correct. We want to be able to use EZVPN at all the remotes sites and get away from site to site dedicated tunnels. We want to run Overlay Transport Virtualiztion at the DR so that if the HQ side fails or we have to move it due for an emergency we basically move the servers subnets to the DR with no addressing changes.

0

Featured Post

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components
RegionsAvailability ZonesEdge Locations
Wh…

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…